From: Vincent Bernat <vincent@bernat.im>
Date: Sun, 30 Aug 2015 14:41:27 +0000 (+0200)
Subject: apparmor: provide an apparmor profile
X-Git-Tag: 0.8.0~74
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cd7ee899dddd42a48fdff197b5be3c02021e1ceb;p=thirdparty%2Flldpd.git

apparmor: provide an apparmor profile

Currently, lldpd has to be installed in /usr/sbin/lldpd. Will change
that later.
---

diff --git a/Makefile.am b/Makefile.am
index eabdd56a..7728212a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -41,4 +41,6 @@ MOSTLYCLEANFILES = $(DX_CLEANFILES)
 DISTCHECK_CONFIGURE_FLAGS = $(CONFIGURE_ARGS) \
         --with-sysusersdir=no \
         --with-systemdsystemunitdir=no \
-	--with-launchddaemonsdir=no
+	--with-launchddaemonsdir=no \
+	--with-apparmordir=no
+
diff --git a/NEWS b/NEWS
index 5fd05a2c..2080105e 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,7 @@ lldpd (0.8.0)
       case of static linking.
     + Introduce the notion of default local port. New interfaces will
       use it as a base. This allows setting various MED stuff.
+    + Provide an apparmor profile (untested).
 
 lldpd (0.7.17)
   * Fix:
diff --git a/configure.ac b/configure.ac
index fd72541a..6a42fc88 100644
--- a/configure.ac
+++ b/configure.ac
@@ -268,6 +268,13 @@ AC_SUBST([sysusersdir], [$with_sysusersdir])
 AM_CONDITIONAL(HAVE_SYSUSERSDIR,
     [test -n "$with_sysusersdir" -a "x$with_sysusersdir" != xno ])
 
+# AppArmor
+lldp_ARG_WITH([apparmordir], [Directory for AppArmor profiles (Linux)],
+                             [no])
+AC_SUBST([apparmordir], [$with_apparmordir])
+AM_CONDITIONAL(HAVE_APPARMORDIR,
+    [test -n "$with_apparmordir" -a "x$with_apprmordir" != xno ])
+
 # Systemtap/DTrace
 lldp_SYSTEMTAP
 
diff --git a/edit.am b/edit.am
index 136db8e7..c3f047b5 100644
--- a/edit.am
+++ b/edit.am
@@ -1,6 +1,7 @@
 edit = $(SED) \
         -e 's|@bindir[@]|$(bindir)|g' \
         -e 's|@sbindir[@]|$(sbindir)|g' \
+        -e 's|@sysconfdir[@]|$(sysconfdir)|g' \
         -e 's|@pkgdatadir[@]|$(pkgdatadir)|g' \
         -e 's|@libdir[@]|$(libdir)|g' \
         -e 's|@includedir[@]|$(includedir)|g' \
@@ -13,7 +14,9 @@ edit = $(SED) \
         -e 's|@PRIVSEP_USER[@]|$(PRIVSEP_USER)|g' \
         -e 's|@PRIVSEP_GROUP[@]|$(PRIVSEP_GROUP)|g' \
         -e 's|@PRIVSEP_CHROOT[@]|$(PRIVSEP_CHROOT)|g' \
-        -e 's|@LLDPD_CTL_SOCKET[@]|$(LLDPD_CTL_SOCKET)|g'
+        -e 's|@LLDPD_PID_FILE[@]|$(LLDPD_PID_FILE)|g' \
+        -e 's|@LLDPD_CTL_SOCKET[@]|$(LLDPD_CTL_SOCKET)|g' \
+        -e 's|@PRIVSEP_CHROOT[@]|$(PRIVSEP_CHROOT)|g'
 
 $(TEMPLATES): Makefile
 	$(AM_V_GEN)mkdir -p $(@D) && $(edit) $(srcdir)/$@.in > $@.tmp && mv $@.tmp $@
diff --git a/src/daemon/Makefile.am b/src/daemon/Makefile.am
index 7cb2e925..c14d83aa 100644
--- a/src/daemon/Makefile.am
+++ b/src/daemon/Makefile.am
@@ -169,10 +169,17 @@ if HAVE_SYSUSERSDIR
 sysusers_DATA = lldpd.sysusers.conf
 endif
 
-TEMPLATES   = lldpd.8    lldpd.service    lldpd.sysusers.conf
-EXTRA_DIST += lldpd.8.in lldpd.service.in lldpd.sysusers.conf.in
+if HOST_OS_LINUX
+if HAVE_APPARMORDIR
+apparmor_DATA = usr.sbin.lldpd
+endif
+endif
+
+TEMPLATES   = lldpd.8    lldpd.service    lldpd.sysusers.conf    usr.sbin.lldpd
+EXTRA_DIST += lldpd.8.in lldpd.service.in lldpd.sysusers.conf.in usr.sbin.lldpd.in
 CLEANFILES += $(TEMPLATES)
 lldpd.8: lldpd.8.in
 lldpd.service: lldpd.service.in
 lldpd.sysusers.conf: lldpd.sysusers.conf.in
+usr.sbin.lldpd: usr.sbin.lldpd.in
 include $(top_srcdir)/edit.am
diff --git a/src/daemon/usr.sbin.lldpd.in b/src/daemon/usr.sbin.lldpd.in
new file mode 100644
index 00000000..97e32334
--- /dev/null
+++ b/src/daemon/usr.sbin.lldpd.in
@@ -0,0 +1,63 @@
+#include <tunables/global>
+
+@sbindir@/lldpd {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+
+  capability chown,
+  capability dac_override,
+  capability fowner,
+  capability fsetid,
+  capability kill,
+  capability net_admin,
+  capability net_raw,
+  capability setgid,
+  capability setuid,
+  capability sys_chroot,
+  capability sys_module,
+
+  # Need to receive/send raw packets
+  network packet raw,
+
+  @sbindir@/lldpd mr,
+
+  # Ability to run lldpcli for self-configuration
+  @sbindir@/lldpcli rix,
+  @sysconfdir@/lldpd.d/* r,
+  @sysconfdir@/lldpd.conf r,
+
+  # PID file and socket
+  @LLDPD_PID_FILE@ rw,
+  @LLDPD_CTL_SOCKET@ rw,
+
+  # Chroot setup
+  @PRIVSEP_CHROOT@/etc/ rw,
+  @PRIVSEP_CHROOT@/etc/localtime rw,
+
+  # Gather system description
+  /etc/os-release r,
+  /usr/lib/os-release r,
+  /usr/bin/lsb_release Cxr -> lsb_release,
+  profile lsb_release {
+    #include <abstractions/base>
+    #include <abstractions/python>
+    /usr/bin/lsb_release r,
+    /bin/dash ixr,
+    /usr/bin/dpkg-query ixr,
+    /usr/include/python2.[4567]/pyconfig.h r,
+    /etc/lsb-release r,
+    /etc/debian_version r,
+    /var/lib/dpkg/** r,
+
+    /usr/local/lib/python3.[0-4]/dist-packages/ r,
+    /usr/bin/ r,
+    /usr/bin/python3.[0-4] r,
+  }
+
+  # Gather network information
+  @{PROC}/sys/net/ipv4/ip_forward r,
+  @{PROC}/net/bonding/* r,
+  @{PROC}/self/net/bonding/* r,
+  /sys/devices/virtual/dmi/** r,
+  /sys/devices/pci**/net/*/ifalias r,
+}